BugBounty is a crowdsourcing cybersecurity solution. Organizations like  Pentagon, Google, Yahoo, Microsoft, Pornhub, Netflix, MIT, etc many other organizations from small to big paying huge to hackers for finding security issues. According to CNBC & BBC, Hackers are making millions of dollars from this upgrowing industry.

A reward offered to a perform who identifies an error or vulnerability in a computer program or system.
‘The company boosts security by offering a bug bounty’

I use tools for creating more attack surfaces by digging into the website.These are my personal preferences and might vary from person to person.

Sniper: It is an automated scanner that includes a lot of tools and automates your results. Yes, it takes a lot of time for the results as it passes your target through many tools and shows all its results in one place. I have sniper setup in my VPS and meanwhile, I check other things manually like web services, WAF, content discovery, etc.

link: https://github.com/1N3/Sn1per

Lazy Recon: It is an automate script written in bash which includes a lot of subdomain tools. You do not need to run each tool separately.

link: https://github.com/nahamsec/lazyrecon

Burpsuite : Burpsuite is the most used tool which includes lot of features like scanning, fuzzing,bruteforcing,encoding-decoding etc.The main feature is intercepting the browser requests. Once you start playing with it, it will become your best friend.Also make sure you have JDK installed.

It comes with two versions Community and Pro.Free community version is enough for starting with it.

link: https://portswigger.net/burp

Content Discovery tools : I have number of tools in my mind  like Wfuzz, dirbuster, gobuster etc, you can install it.

sudo apt install dirbuster

sudo apt install gobuster

sudo apt install wfuzz

Here, more than any tool it depends on your wordlist for good content discovering.

SecList:- Seclist has a collection of wordlists and really helpful in Blackbox Testing. As I said wordlist is more important here.Many contributors are contributing and updating this every week. So this is the best and widely use wordlist.

Download it from GitHub or you can install it through APT.

sudo apt install seclists

Nmap: Nmap is the network scanner and has the ability to discover hosts and services. It is old and still powerful.

Once I have subdomain list, I use :

sudo apt insall nmap

sudo nmap -iL subdomain.txt > nmap.txt

This will eventually take a lot of time but you won’t regret running it.Till then check other tool results or grab a cup of coffee.

Arjun: I mostly use Arjun when I am lazy enough to beautify the JS file and go through it manually. So it helps me to find parameters through the JS files.

link: https://github.com/s0md3v/Arjun

OpenRelayMagic: This tool helps to find SMTP servers vulnerable to openrelay.

1. Check single target/domain list
2. Port 587 and 465 Implemented
3. Multithreaded

link: https://github.com/bl4ckmamb4/OpenRelayMagic

Teh S3 Bucketeers: It is use for finding AWS open buckets.

link: https://github.com/tomdev/teh_s3_bucketeers

Cloudflair: CloudFlair is a tool to find origin servers of websites protected by Cloudflare who are publicly exposed and don’t restrict network access to the Cloudflare. Most of the websites are Cloudflare connected for an extra layer of security so this tool will help you to find the origin IP.

link: https://github.com/christophetd/CloudFlair

Tip: Most of these aggressive tools get detects by the WAF (Web Application Firewall) and lead you to false results. So you can always use random-agent option which you can find in most of the tools or use TOR for not ending up in false positives.


Thus we conclude the list of tools that I mostly use while I am into BlackBox pentesting. Let me know if you want me to add any other tools.

Copy link